SSL, Gone in 30 Seconds - A BREACH beyond CRIME

Presented at Black Hat USA 2013, Aug. 1, 2013, 3:30 p.m. (60 minutes)

In this hands-on talk, we will introduce new targeted techniques and research that allows an attacker to reliably retrieve encrypted secrets (session identifiers, CSRF tokens, OAuth tokens, email addresses, ViewState hidden fields, etc.) from an HTTPS channel. We will demonstrate this new browser vector is real and practical by executing a PoC against a major enterprise product in under 30 seconds. We will describe the algorithm behind the attack, how the usage of basic statistical analysis can be applied to extract data from dynamic pages, as well as practical mitigations you can implement today. We will also describe the posture of different SaaS vendors vis-à-vis this attack. Finally, to provide the community with ability to build on our research, determine levels of exposure, and deploy appropriate protection, we will release the BREACH tool.

Presenters:

• Yoel Gluck - Salesforce.com
  Yoel Gluck is a security researcher with 12 years of experience in the industry. He is currently a Lead Product Security Engineer at Salesforce.com. Yoel graduated from Bar-Ilan University (Israel) with a B.Sc in Computer Science and Math. Using his experience as a software engineer, he attempts to break applications by analyzing developer design patterns. His research areas include web application, network, virtualization, encryption, and email security. When he's not busy analyzing security risks, he enjoys spending time with his two-year-old daughter.
• Angelo Prado - Salesforce.com
  Angelo Prado is a Lead Product Security Engineer at Salesforce.com. He has worked as a software and security engineer for Microsoft and Motorola. Angelo has been involved with the security community for over 8 years, and he has spoken at Georgetown University (Washington, D.C.), Comillas University (Madrid) and Coruña University (Galicia, Spain). Angelo holds a Master's degree in Computer Science from Universidad Pontificia Comillas, Madrid and has also attended University of Illinois at Urbana-Champaign. His passions & research include web application security, windows security, browsers, malware analysis and Spanish Jamón.
• Neal Harris - Square, Inc.
  While studying pure math in school, I dipped my toes into the world of security by spending summers doing cryptanalysis. After stumbling through a PhD at UC San Diego, I left academia to pursue a full-time career breaking things, and helping developers make things that are harder to break.

Links:

• https://www.blackhat.com/us-13/archives.html#Prado
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2013/video/Black Hat 2013 - SSL, Gone in 30 Seconds - A BREACH beyond CRIME.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2013/video/Black Hat 2013 - SSL, Gone in 30 Seconds - A BREACH beyond CRIME.srt (subtitles)
• https://www.youtube.com/watch?v=CoNKarq1IYA
• https://media.blackhat.com/us-13/US-13-Prado-SSL-Gone-in-30-seconds-A-BREACH-beyond-CRIME-Slides.pdf
• https://media.blackhat.com/us-13/US-13-Prado-SSL-Gone-in-30-seconds-A-BREACH-beyond-CRIME-WP.pdf

Similar Presentations:

• Black Hat Asia 2016 / Practical New Developments in the BREACH Attack
• 44CON 2016 / Effortless, Agentless Breach Detection in the Enterprise: Token all the Things!
• ToorCon San Diego 15 (2013) / BREACHing SSL, one byte at a time